Configuring Applications Access Policies

Mar 05, 2014

When you deploy a
software inventory package to a device, Device Manager maintains the list of
apps. You can work from those lists to configure Applications Access Policies,
also known as application blacklists and whitelists, to manage users' access to
applications on their devices.

You can also use the
Applications Access Policies in the following ways:

As triggers for Automated
Actions. For example, if Device Manager detects that a device has an
unapproved app installed, you can configure an Automated Action that remotely
wipes a device, or sends a notification to the user that the user's device is
out of compliance with the organization's policy.

To serve as device status
flags for the Secure Mobile Gateway rules. For example, if Device Manager
detects that a device has an unapproved app installed, you can configure the
Secure Mobile Gateway rules to block the device from receiving email from the
organization. For more information, see
Secure Mobile Gateway
Policies and Rules.

Applications
Access Policies Types

You can create the
following types of Applications Access Policies:

Forbidden
(blacklist). A list of apps that users cannot install on their
devices. If even one app on device matches an app in the Forbidden list in
Device Manager, the device is considered to be in violation of the policy.

Suggested
(whitelist). A list of apps that you suggest to users. Users can
have one or more of the apps from the list installed and still be in compliance
with the policy. However, if users install an app that is not listed in the
policy, the user's device is in violation of the policy.

Required
(whitelist). A list of apps that must be installed on the device to
be in compliance with the policy. Users must install all of the apps on the
list. If users do not install any of the apps in the list, the device is in
violation of the policy.

App
Definitions

You have the option
in Device Manager of using the App bundle ID and App package name when you
define iOS and Android apps in your policies. Device Manager can identify apps
more reliably, however, when you use these values.

In iOS, an App
bundle ID is traditionally a reverse-domain-name style string used when a
developer creates a new app. For example, for Angry Birds (www.rovio.com/), the
App bundle ID on iOS is 'com.rovio.angrybirds'. On Android, an App package
naming convention is similar to iOS, in which the developer identifies the app
with a reverse-domain-name style string. The last part of the name is the name
of the App package, often with the file extension appended to the end. For
example, for Angry Birds, the App package name on Android is
'com.rovio.angrybirds.apk'.

To configure an Applications Access Policy

In the Device Manager web console, click the
Policies tab.

On the left side of the console, under
App Policies,
Global
> Applications Access
Policies, click
New Applications Access Policy.

In the
Add a new Applications Access Policy dialog
box, enter a name for the policy, such as
Forbidden iOS Apps and then optionally enter a
description.

In
Access policy, click one of the following
options:

Required (whitelist). Defines a list of
apps that users are required to install on their device to be in compliance
with the policy. If any of the apps is not installed, the device is in
violation of the policy.

Suggested (whitelist). Defines a list of
apps that are suggested to users. Users can have one or more of the apps from
the list installed and still be in compliance with the policy. However, if the
user installs any apps that are not listed in the policy, the device is in
violation of the policy.

Forbidden (blacklist). Defines a list of
apps that users should not install on their devices. If any apps on device
match an app in the this list, the device is in violation of the policy.

In
OS type, select the device platform you want
to associate with the policy.

Click
New app.

In the
Add a new application dialog box, enter the
name of an app that you would like to add to the
Applications Access Policy list. When you add
an app, you can optionally enter the app bundle ID and app package name for iOS
and Android. If you configure these fields, Device Manager uses the values to
identify the app.

Click
Create. This will create the application in
the list.

The app appears in the list in the
Add a new application dialog box.

Click
Create again to create the Application Access
Policy. Once created, you can add this policy to a deployment package and
deploy to the devices you want to manage.